From 4814dfd99b70c6c9991e39e83522311075d1a0af Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 30 Jul 2024 09:55:24 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...fix-call-order-in-dmam_free_coherent.patch | 52 +++++++++++++++ ...ct-source-address-in-record-route-op.patch | 49 ++++++++++++++ ...-array-index-out-of-bounds-in-difree.patch | 46 +++++++++++++ ...db-address-wformat-security-warnings.patch | 58 ++++++++++++++++ ...kdb-fix-bound-check-compiler-warning.patch | 43 ++++++++++++ ...passed-prompt-in-kdb_position_cursor.patch | 42 ++++++++++++ ...-address-for-gcr_access-register-for.patch | 66 +++++++++++++++++++ ...-fix-a-use-after-free-in-hfcmulti_tx.patch | 55 ++++++++++++++++ ...ectly-annotate-rcu-in-bond_should_no.patch | 53 +++++++++++++++ ...urce-use-new-style-struct-initialize.patch | 59 +++++++++++++++++ queue-4.19/series | 11 ++++ ...zero-value-from-tipc_udp_addr2str-on.patch | 43 ++++++++++++ 12 files changed, 577 insertions(+) create mode 100644 queue-4.19/dma-fix-call-order-in-dmam_free_coherent.patch create mode 100644 queue-4.19/ipv4-fix-incorrect-source-address-in-record-route-op.patch create mode 100644 queue-4.19/jfs-fix-array-index-out-of-bounds-in-difree.patch create mode 100644 queue-4.19/kdb-address-wformat-security-warnings.patch create mode 100644 queue-4.19/kdb-fix-bound-check-compiler-warning.patch create mode 100644 queue-4.19/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch create mode 100644 queue-4.19/mips-smp-cps-fix-address-for-gcr_access-register-for.patch create mode 100644 queue-4.19/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch create mode 100644 queue-4.19/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch create mode 100644 queue-4.19/net-ip_rt_get_source-use-new-style-struct-initialize.patch create mode 100644 queue-4.19/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch diff --git a/queue-4.19/dma-fix-call-order-in-dmam_free_coherent.patch b/queue-4.19/dma-fix-call-order-in-dmam_free_coherent.patch new file mode 100644 index 00000000000..11220e1d958 --- /dev/null +++ b/queue-4.19/dma-fix-call-order-in-dmam_free_coherent.patch @@ -0,0 +1,52 @@ +From f5c839440c615ab6a80ce8d387254743ea951e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 14:38:24 +0000 +Subject: dma: fix call order in dmam_free_coherent + +From: Lance Richardson + +[ Upstream commit 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 ] + +dmam_free_coherent() frees a DMA allocation, which makes the +freed vaddr available for reuse, then calls devres_destroy() +to remove and free the data structure used to track the DMA +allocation. Between the two calls, it is possible for a +concurrent task to make an allocation with the same vaddr +and add it to the devres list. + +If this happens, there will be two entries in the devres list +with the same vaddr and devres_destroy() can free the wrong +entry, triggering the WARN_ON() in dmam_match. + +Fix by destroying the devres entry before freeing the DMA +allocation. + +Tested: + kokonut //net/encryption + http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03 + +Fixes: 9ac7849e35f7 ("devres: device resource management") +Signed-off-by: Lance Richardson +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + kernel/dma/mapping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c +index d2a92ddaac4d1..34edceed643d3 100644 +--- a/kernel/dma/mapping.c ++++ b/kernel/dma/mapping.c +@@ -97,8 +97,8 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr, + { + struct dma_devres match_data = { size, vaddr, dma_handle }; + +- dma_free_coherent(dev, size, vaddr, dma_handle); + WARN_ON(devres_destroy(dev, dmam_release, dmam_match, &match_data)); ++ dma_free_coherent(dev, size, vaddr, dma_handle); + } + EXPORT_SYMBOL(dmam_free_coherent); + +-- +2.43.0 + diff --git a/queue-4.19/ipv4-fix-incorrect-source-address-in-record-route-op.patch b/queue-4.19/ipv4-fix-incorrect-source-address-in-record-route-op.patch new file mode 100644 index 00000000000..3d9ca81af3b --- /dev/null +++ b/queue-4.19/ipv4-fix-incorrect-source-address-in-record-route-op.patch @@ -0,0 +1,49 @@ +From 1d04089807114d2271ff9892e10f5fad60284e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jul 2024 15:34:07 +0300 +Subject: ipv4: Fix incorrect source address in Record Route option + +From: Ido Schimmel + +[ Upstream commit cc73bbab4b1fb8a4f53a24645871dafa5f81266a ] + +The Record Route IP option records the addresses of the routers that +routed the packet. In the case of forwarded packets, the kernel performs +a route lookup via fib_lookup() and fills in the preferred source +address of the matched route. + +The lookup is performed with the DS field of the forwarded packet, but +using the RT_TOS() macro which only masks one of the two ECN bits. If +the packet is ECT(0) or CE, the matched route might be different than +the route via which the packet was forwarded as the input path masks +both of the ECN bits, resulting in the wrong address being filled in the +Record Route option. + +Fix by masking both of the ECN bits. + +Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().") +Signed-off-by: Ido Schimmel +Reviewed-by: Guillaume Nault +Link: https://patch.msgid.link/20240718123407.434778-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 1aac0d77a3aa1..437960825ec2f 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1277,7 +1277,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt) + struct flowi4 fl4 = { + .daddr = iph->daddr, + .saddr = iph->saddr, +- .flowi4_tos = RT_TOS(iph->tos), ++ .flowi4_tos = iph->tos & IPTOS_RT_MASK, + .flowi4_oif = rt->dst.dev->ifindex, + .flowi4_iif = skb->dev->ifindex, + .flowi4_mark = skb->mark, +-- +2.43.0 + diff --git a/queue-4.19/jfs-fix-array-index-out-of-bounds-in-difree.patch b/queue-4.19/jfs-fix-array-index-out-of-bounds-in-difree.patch new file mode 100644 index 00000000000..36546da3e9e --- /dev/null +++ b/queue-4.19/jfs-fix-array-index-out-of-bounds-in-difree.patch @@ -0,0 +1,46 @@ +From d8a52d6bd4ed1d31309b5ddd45a718a5b5a00190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 22:28:09 +0900 +Subject: jfs: Fix array-index-out-of-bounds in diFree + +From: Jeongjun Park + +[ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] + +Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_imap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c +index 00800c8c6f077..9893cb6b8a756 100644 +--- a/fs/jfs/jfs_imap.c ++++ b/fs/jfs/jfs_imap.c +@@ -305,7 +305,7 @@ int diSync(struct inode *ipimap) + int diRead(struct inode *ip) + { + struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); +- int iagno, ino, extno, rc; ++ int iagno, ino, extno, rc, agno; + struct inode *ipimap; + struct dinode *dp; + struct iag *iagp; +@@ -354,8 +354,11 @@ int diRead(struct inode *ip) + + /* get the ag for the iag */ + agstart = le64_to_cpu(iagp->agstart); ++ agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); + + release_metapage(mp); ++ if (agno >= MAXAG || agno < 0) ++ return -EIO; + + rel_inode = (ino & (INOSPERPAGE - 1)); + pageno = blkno >> sbi->l2nbperpage; +-- +2.43.0 + diff --git a/queue-4.19/kdb-address-wformat-security-warnings.patch b/queue-4.19/kdb-address-wformat-security-warnings.patch new file mode 100644 index 00000000000..26ba78fc374 --- /dev/null +++ b/queue-4.19/kdb-address-wformat-security-warnings.patch @@ -0,0 +1,58 @@ +From cee8113f8734060ea8e33cff8ed229fc5e452195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 14:11:48 +0200 +Subject: kdb: address -Wformat-security warnings + +From: Arnd Bergmann + +[ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ] + +When -Wformat-security is not disabled, using a string pointer +as a format causes a warning: + +kernel/debug/kdb/kdb_io.c: In function 'kdb_read': +kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security] + 365 | kdb_printf(kdb_prompt_str); + | ^~~~~~~~~~~~~~ +kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': +kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security] + 456 | kdb_printf(kdb_prompt_str); + | ^~~~~~~~~~~~~~ + +Use an explcit "%s" format instead. + +Signed-off-by: Arnd Bergmann +Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240528121154.3662553-1-arnd@kernel.org +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 5358e8a8b6f11..9ce4e52532b77 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -368,7 +368,7 @@ static char *kdb_read(char *buffer, size_t bufsize) + if (i >= dtab_count) + kdb_printf("..."); + kdb_printf("\n"); +- kdb_printf(kdb_prompt_str); ++ kdb_printf("%s", kdb_prompt_str); + kdb_printf("%s", buffer); + if (cp != lastchar) + kdb_position_cursor(kdb_prompt_str, buffer, cp); +@@ -460,7 +460,7 @@ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt) + { + if (prompt && kdb_prompt_str != prompt) + strscpy(kdb_prompt_str, prompt, CMD_BUFLEN); +- kdb_printf(kdb_prompt_str); ++ kdb_printf("%s", kdb_prompt_str); + kdb_nextline = 1; /* Prompt and input resets line number */ + return kdb_read(buffer, bufsize); + } +-- +2.43.0 + diff --git a/queue-4.19/kdb-fix-bound-check-compiler-warning.patch b/queue-4.19/kdb-fix-bound-check-compiler-warning.patch new file mode 100644 index 00000000000..73f05e38136 --- /dev/null +++ b/queue-4.19/kdb-fix-bound-check-compiler-warning.patch @@ -0,0 +1,43 @@ +From 21f00cb98e9f1d8d1f91d2274b1c04652015d3b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2019 16:57:20 +0800 +Subject: kdb: Fix bound check compiler warning + +From: Wenlin Kang + +[ Upstream commit ca976bfb3154c7bc67c4651ecd144fdf67ccaee7 ] + +The strncpy() function may leave the destination string buffer +unterminated, better use strscpy() instead. + +This fixes the following warning with gcc 8.2: + +kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': +kernel/debug/kdb/kdb_io.c:449:3: warning: 'strncpy' specified bound 256 equals destination size [-Wstringop-truncation] + strncpy(kdb_prompt_str, prompt, CMD_BUFLEN); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Wenlin Kang +Signed-off-by: Daniel Thompson +Stable-dep-of: 70867efacf43 ("kdb: address -Wformat-security warnings") +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index acc8e13b823b2..5358e8a8b6f11 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -459,7 +459,7 @@ static char *kdb_read(char *buffer, size_t bufsize) + char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt) + { + if (prompt && kdb_prompt_str != prompt) +- strncpy(kdb_prompt_str, prompt, CMD_BUFLEN); ++ strscpy(kdb_prompt_str, prompt, CMD_BUFLEN); + kdb_printf(kdb_prompt_str); + kdb_nextline = 1; /* Prompt and input resets line number */ + return kdb_read(buffer, bufsize); +-- +2.43.0 + diff --git a/queue-4.19/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch b/queue-4.19/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch new file mode 100644 index 00000000000..a181a8ae31f --- /dev/null +++ b/queue-4.19/kdb-use-the-passed-prompt-in-kdb_position_cursor.patch @@ -0,0 +1,42 @@ +From d2bf235051338957b4bc6b738c8e6c07b7dea2b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 07:11:48 -0700 +Subject: kdb: Use the passed prompt in kdb_position_cursor() + +From: Douglas Anderson + +[ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ] + +The function kdb_position_cursor() takes in a "prompt" parameter but +never uses it. This doesn't _really_ matter since all current callers +of the function pass the same value and it's a global variable, but +it's a bit ugly. Let's clean it up. + +Found by code inspection. This patch is expected to functionally be a +no-op. + +Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()") +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index 9ce4e52532b77..bfce77a0daac8 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -192,7 +192,7 @@ static int kdb_read_get_key(char *buffer, size_t bufsize) + */ + static void kdb_position_cursor(char *prompt, char *buffer, char *cp) + { +- kdb_printf("\r%s", kdb_prompt_str); ++ kdb_printf("\r%s", prompt); + if (cp > buffer) + kdb_printf("%.*s", (int)(cp - buffer), buffer); + } +-- +2.43.0 + diff --git a/queue-4.19/mips-smp-cps-fix-address-for-gcr_access-register-for.patch b/queue-4.19/mips-smp-cps-fix-address-for-gcr_access-register-for.patch new file mode 100644 index 00000000000..717c27608fc --- /dev/null +++ b/queue-4.19/mips-smp-cps-fix-address-for-gcr_access-register-for.patch @@ -0,0 +1,66 @@ +From ed8b1248683d49b8bfec2734fb546a37acfcc8dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jul 2024 15:15:39 +0200 +Subject: MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later + +From: Gregory CLEMENT + +[ Upstream commit a263e5f309f32301e1f3ad113293f4e68a82a646 ] + +When the CM block migrated from CM2.5 to CM3.0, the address offset for +the Global CSR Access Privilege register was modified. We saw this in +the "MIPS64 I6500 Multiprocessing System Programmer's Guide," it is +stated that "the Global CSR Access Privilege register is located at +offset 0x0120" in section 5.4. It is at least the same for I6400. + +This fix allows to use the VP cores in SMP mode if the reset values +were modified by the bootloader. + +Based on the work of Vladimir Kondratiev + and the feedback from Jiaxun Yang +. + +Fixes: 197e89e0984a ("MIPS: mips-cm: Implement mips_cm_revision") +Signed-off-by: Gregory CLEMENT +Reviewed-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 4 ++++ + arch/mips/kernel/smp-cps.c | 5 ++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index 890e51b159e06..11a3d5120e2b5 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -232,6 +232,10 @@ GCR_ACCESSOR_RO(32, 0x0d0, gic_status) + GCR_ACCESSOR_RO(32, 0x0f0, cpc_status) + #define CM_GCR_CPC_STATUS_EX BIT(0) + ++/* GCR_ACCESS - Controls core/IOCU access to GCRs */ ++GCR_ACCESSOR_RW(32, 0x120, access_cm3) ++#define CM_GCR_ACCESS_ACCESSEN GENMASK(7, 0) ++ + /* GCR_L2_CONFIG - Indicates L2 cache configuration when Config5.L2C=1 */ + GCR_ACCESSOR_RW(32, 0x130, l2_config) + #define CM_GCR_L2_CONFIG_BYPASS BIT(20) +diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c +index 03f1026ad1484..1861b20e978d0 100644 +--- a/arch/mips/kernel/smp-cps.c ++++ b/arch/mips/kernel/smp-cps.c +@@ -233,7 +233,10 @@ static void boot_core(unsigned int core, unsigned int vpe_id) + write_gcr_co_reset_ext_base(CM_GCR_Cx_RESET_EXT_BASE_UEB); + + /* Ensure the core can access the GCRs */ +- set_gcr_access(1 << core); ++ if (mips_cm_revision() < CM_REV_CM3) ++ set_gcr_access(1 << core); ++ else ++ set_gcr_access_cm3(1 << core); + + if (mips_cpc_present()) { + /* Reset the core */ +-- +2.43.0 + diff --git a/queue-4.19/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch b/queue-4.19/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch new file mode 100644 index 00000000000..1f25648018d --- /dev/null +++ b/queue-4.19/misdn-fix-a-use-after-free-in-hfcmulti_tx.patch @@ -0,0 +1,55 @@ +From 0608f7b50aecbe3163d8c6f546b3a8b1d840124e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Jul 2024 11:08:18 -0500 +Subject: mISDN: Fix a use after free in hfcmulti_tx() + +From: Dan Carpenter + +[ Upstream commit 61ab751451f5ebd0b98e02276a44e23a10110402 ] + +Don't dereference *sp after calling dev_kfree_skb(*sp). + +Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/8be65f5a-c2dd-4ba0-8a10-bfe5980b8cfb@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 60b3a4aabe6b8..9010d5ca3cd53 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -1945,7 +1945,7 @@ hfcmulti_dtmf(struct hfc_multi *hc) + static void + hfcmulti_tx(struct hfc_multi *hc, int ch) + { +- int i, ii, temp, len = 0; ++ int i, ii, temp, tmp_len, len = 0; + int Zspace, z1, z2; /* must be int for calculation */ + int Fspace, f1, f2; + u_char *d; +@@ -2166,14 +2166,15 @@ hfcmulti_tx(struct hfc_multi *hc, int ch) + HFC_wait_nodebug(hc); + } + ++ tmp_len = (*sp)->len; + dev_kfree_skb(*sp); + /* check for next frame */ + if (bch && get_next_bframe(bch)) { +- len = (*sp)->len; ++ len = tmp_len; + goto next_frame; + } + if (dch && get_next_dframe(dch)) { +- len = (*sp)->len; ++ len = tmp_len; + goto next_frame; + } + +-- +2.43.0 + diff --git a/queue-4.19/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch b/queue-4.19/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch new file mode 100644 index 00000000000..01d4ce87de1 --- /dev/null +++ b/queue-4.19/net-bonding-correctly-annotate-rcu-in-bond_should_no.patch @@ -0,0 +1,53 @@ +From 3ebd35a9a0aa902cfb4b47537b55b8dafbd7e856 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jul 2024 09:41:18 -0700 +Subject: net: bonding: correctly annotate RCU in bond_should_notify_peers() + +From: Johannes Berg + +[ Upstream commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684 ] + +RCU use in bond_should_notify_peers() looks wrong, since it does +rcu_dereference(), leaves the critical section, and uses the +pointer after that. + +Luckily, it's called either inside a nested RCU critical section +or with the RTNL held. + +Annotate it with rcu_dereference_rtnl() instead, and remove the +inner RCU critical section. + +Fixes: 4cb4f97b7e36 ("bonding: rebuild the lock use for bond_mii_monitor()") +Reviewed-by: Jiri Pirko +Signed-off-by: Johannes Berg +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20240719094119.35c62455087d.I68eb9c0f02545b364b79a59f2110f2cf5682a8e2@changeid +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 79b36f1c50aec..f0c0da85ba4fc 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -774,13 +774,10 @@ static struct slave *bond_find_best_slave(struct bonding *bond) + return bestslave; + } + ++/* must be called in RCU critical section or with RTNL held */ + static bool bond_should_notify_peers(struct bonding *bond) + { +- struct slave *slave; +- +- rcu_read_lock(); +- slave = rcu_dereference(bond->curr_active_slave); +- rcu_read_unlock(); ++ struct slave *slave = rcu_dereference_rtnl(bond->curr_active_slave); + + if (!slave || !bond->send_peer_notif || + !netif_carrier_ok(bond->dev) || +-- +2.43.0 + diff --git a/queue-4.19/net-ip_rt_get_source-use-new-style-struct-initialize.patch b/queue-4.19/net-ip_rt_get_source-use-new-style-struct-initialize.patch new file mode 100644 index 00000000000..f289095b592 --- /dev/null +++ b/queue-4.19/net-ip_rt_get_source-use-new-style-struct-initialize.patch @@ -0,0 +1,59 @@ +From 53f2d0d6ef858505d8c15dd287137401027199eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Sep 2018 23:44:46 -0700 +Subject: net: ip_rt_get_source() - use new style struct initializer instead of + memset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit e351bb6227fbe2bb5da6f38a4cf5bd18810b0557 ] + +(allows for better compiler optimization) + +Signed-off-by: Maciej Żenczykowski +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Stable-dep-of: cc73bbab4b1f ("ipv4: Fix incorrect source address in Record Route option") +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 3c5401dafdeed..1aac0d77a3aa1 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1273,18 +1273,15 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt) + src = ip_hdr(skb)->saddr; + else { + struct fib_result res; +- struct flowi4 fl4; +- struct iphdr *iph; +- +- iph = ip_hdr(skb); +- +- memset(&fl4, 0, sizeof(fl4)); +- fl4.daddr = iph->daddr; +- fl4.saddr = iph->saddr; +- fl4.flowi4_tos = RT_TOS(iph->tos); +- fl4.flowi4_oif = rt->dst.dev->ifindex; +- fl4.flowi4_iif = skb->dev->ifindex; +- fl4.flowi4_mark = skb->mark; ++ struct iphdr *iph = ip_hdr(skb); ++ struct flowi4 fl4 = { ++ .daddr = iph->daddr, ++ .saddr = iph->saddr, ++ .flowi4_tos = RT_TOS(iph->tos), ++ .flowi4_oif = rt->dst.dev->ifindex, ++ .flowi4_iif = skb->dev->ifindex, ++ .flowi4_mark = skb->mark, ++ }; + + rcu_read_lock(); + if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res, 0) == 0) +-- +2.43.0 + diff --git a/queue-4.19/series b/queue-4.19/series index d427ba7a901..8e498925e58 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -92,3 +92,14 @@ platform-mips-cpu_hwmon-disable-driver-on-unsupported-hardware.patch rdma-iwcm-fix-a-use-after-free-related-to-destroying-cm-ids.patch selftests-sigaltstack-fix-ppc64-gcc-build.patch nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch +kdb-fix-bound-check-compiler-warning.patch +kdb-address-wformat-security-warnings.patch +kdb-use-the-passed-prompt-in-kdb_position_cursor.patch +jfs-fix-array-index-out-of-bounds-in-difree.patch +dma-fix-call-order-in-dmam_free_coherent.patch +mips-smp-cps-fix-address-for-gcr_access-register-for.patch +net-ip_rt_get_source-use-new-style-struct-initialize.patch +ipv4-fix-incorrect-source-address-in-record-route-op.patch +net-bonding-correctly-annotate-rcu-in-bond_should_no.patch +tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch +misdn-fix-a-use-after-free-in-hfcmulti_tx.patch diff --git a/queue-4.19/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch b/queue-4.19/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch new file mode 100644 index 00000000000..61ff634e6d2 --- /dev/null +++ b/queue-4.19/tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch @@ -0,0 +1,43 @@ +From 4b00e0afab73cfa1f85836be29b9206911aeb022 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Jul 2024 11:09:05 +0900 +Subject: tipc: Return non-zero value from tipc_udp_addr2str() on error + +From: Shigeru Yoshida + +[ Upstream commit fa96c6baef1b5385e2f0c0677b32b3839e716076 ] + +tipc_udp_addr2str() should return non-zero value if the UDP media +address is invalid. Otherwise, a buffer overflow access can occur in +tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP +media address. + +Fixes: d0f91938bede ("tipc: add ip/udp media type") +Signed-off-by: Shigeru Yoshida +Reviewed-by: Tung Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/udp_media.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c +index 1d62354797061..796309b50bb6a 100644 +--- a/net/tipc/udp_media.c ++++ b/net/tipc/udp_media.c +@@ -127,8 +127,11 @@ static int tipc_udp_addr2str(struct tipc_media_addr *a, char *buf, int size) + snprintf(buf, size, "%pI4:%u", &ua->ipv4, ntohs(ua->port)); + else if (ntohs(ua->proto) == ETH_P_IPV6) + snprintf(buf, size, "%pI6:%u", &ua->ipv6, ntohs(ua->port)); +- else ++ else { + pr_err("Invalid UDP media address\n"); ++ return 1; ++ } ++ + return 0; + } + +-- +2.43.0 + -- 2.47.3